Re: New Remote Hole found in Berkeley Fingerd!

[Olaf Kirch <okir () caldera de>]

On Tue, Nov 20, 2001 at 11:23:26PM +0000, vuln-dev wrote:
> this weaknesses known to public sector (not disk sector hehehe) so problem
> may be fixed in reliable manner. We invent several fuzz testing tool for
> remote daemon and we thus are able to stress test application for security.
> GOBBLES LABS uses proprietary artificial intelligence tool to aid in
> enumeration of remote host banner and then able to identify flaw through new

Highly amusing. Really.

> program: Berkeley finger.cgi
> website: http://www.csua.berkeley.edu/cgi-bin/finger?source

First off, this is not the Berkeley fingerd. Period.

What this ADVISORY (tadaa) is about is some lame cgi script, and
the script looks a lot like the lame old finger.cgi that was shipped
with the CERN httpd in the early 90s. Boys, this bug is ancient.
It's so old it even stopped smelling bad.

This doesn't mean though that whoever currently maintains the script
has a lot of security clue either. And no, it's not enough
to just exclude newlines either. Think $(...). Think - and @
which can be used in finger -l and finger @.

Sigh.

Olaf "I want a fuzz tool too" Kirch
-- 
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.